[keycloak-dev] Direct Grant API for Confidential Clients

Lance Ball lball at redhat.com
Mon May 16 17:19:05 EDT 2016


Hi All

I've been updating the keycloak-nodejs-auth-utils module to keep up with
recent changes in Keycloak, and one thing I've noticed seems to contradict
what's written in the documentation. Can anyone provide clarity on this for
me?

In the docs for Direct Access Grants[1] it says, "For confidential
client's, you must create a Basic Auth Authorization header that contains
the client_id and client secret. And pass in the form parameters for
username and for each user credential. For example:"

    POST /auth/realms/demo/protocol/openid-connect/token
    Authorization: Basic atasdf023l2312023
    Content-Type: application/x-www-form-urlencoded

    username=bburke&password=geheim&grant_type=password

(That's copied and pasted into GMail. I hope the formatting is OK).

But in the keycloak-nodejs-auth-utils module, I am able to obtain a grant
without including the username and password. Additionally, I must specify
'client_credentials' as the grant_type [2].

Do I misunderstand what is going on here or is the documentation out of
date?

Thanks
Lance

[1]
http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html
[2]
https://github.com/keycloak/keycloak-nodejs-auth-utils/blob/master/lib/grant-manager.js#L71-L79
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160516/26cd3ed3/attachment.html 


More information about the keycloak-dev mailing list